Security vulnerabilities

  • Status Closed
  • Assigned To No-one
  • Private
Attached to Project: Security vulnerabilities
Opened by grycolor - 15.01.2024
Last edited by cbay - 16.01.2024

FS#13 - Lack of Verification Email

Description:

The website lacks proper email verification.During the user registration process,it only sending a greeting email upon registration. The absence of email verification could lead to create unverified accounts and host content with any email address, potentially poses a serious security risk.

Impact :

The absence of email verification poses a significant security risk, allowing the potential use of any email address for registration on a hosting site without proper authentication. This could lead to the creation of accounts under false identities, enabling malicious actors to host illegal content anonymously.
The free hosting service, which doesn't require valid details, may be exploited for unauthorized activities, emphasizing the need for robust email verification procedures to ensure account legitimacy and prevent abuse like.

Spam distribution

Phishing campaigns

Distribution of illegal or harmful content

Reputational damage to the platform

So, I am Reporting this issue to the platform's security team for addressing the vulnerability and enhancing overall security.

Closed by  cbay
16.01.2024 13:46
Reason for closing:  Invalid
Admin
cbay commented on 16.01.2024 08:19

Hello,

I assume what you mean by "verifying emails" is sending a link to the specified email address and making sure the client has clicked on it, to make sure they own that address.

How would that prevent anyone from doing "bad" activities with their accounts, such as the ones you mentioned (spam, phishing, etc.)? Creating a new mailbox is trivial and can be done in seconds with services such as Temp Mail anyway.

Verifying emails has nothing to do with anonymity or legitimacy.

Kind regards,
Cyril

Thank you for sharing your perspective on email verification. While it's true that email verification might not address all aspects of online security, it remains an important step in confirming that the user has access to the provided email address.Without email verification, it becomes easier for someone to use anybody's email address, especially if the email is publicly available.

Account Validation: Email verification ensures that users provide valid and accessible email addresses during registration, reducing the risk of fake or malicious accounts.

Admin
cbay commented on 16.01.2024 10:20

Is there a problem using an email address that's not yours, from a security perspective? What would you gain doing that?

Identity collision: Any user can sign up with any email address, potentially invalidating or blocking the actual owner's registration due to duplicate email collision.

Someone used my email to make an account on a website, and that account got into trouble with issues like suspension or billing. Now, when I want to use the website, I can't make a new account because of problems caused by someone else using my email without permission. The core problem lies in the unauthorized use of my email

Admin
cbay commented on 16.01.2024 12:51

That's not a security issue: not being able to use your email when subscribing is a mere annoyance in a highly far-fetched scenario that never occurred even once in 16 years.

And even if it did happen, simply contacting us would solve the issue immediately.

If someone used my email , How i use my email to subscribe.

Admin
cbay commented on 16.01.2024 13:45

You'd contact us, or use another email address, or even don't subscribe. There's no security issue in any case.

Loading...

Available keyboard shortcuts

Tasklist

Task Details

Task Editing